I am looking at this code and trying to understand if the SHA256 mentioned on lines from 13 to 16 are the ones for binaries hosted on URL: https://binaries.pantsbuild.org/bin/grpc_python_plugin/{version}/{platform}/grpc_python_plugin? Should these SHA256 match for a given platform if I built grpc version 1.32.0 from its source and then check shasum of grpc_python_plugin file?

For the first question, yes, the SHA256 is that of the one at the specified URL. So, if I download, for instance: https://binaries.pantsbuild.org/bin/grpc_python_plugin/1.32.0/macos_x86_64/grpc_python_plugin And run

shasum -a256 grpc_python_plugin

- I can see the result matches the code you called out (

b2db586656463841aa2fd4aab34fb6bd3ef887b522d80e4f2f292146c357f533

) However, for the second question, that's trickier. I don't know, because I dont know what the guarantees during the build process of that plugin, if there is any system or date/time metadata included, then no, the SHASUM won't match

Yeah, the SHASUMs don’t match when I build from source for the same version as in referred code. I am just trying to understand how did these hardcoded values in code were arrived at.

Those SHAs are taken after the plugin (or whatever downloaded file) is pre-compiled, and it doesn't matter what they are, so long as the value in the Subsystem matches the file. It's an integrity check to ensure that Pants is downloading what you think it is supposed to be downloading. You can also override those values if you have a different version of the plugin at some URL. These are the docs that explain what an ExternalTool is: https://www.pantsbuild.org/docs/rules-api-installing-tools#externaltool-install-pre-compiled-binaries